Who is responsible for the conclusion of a data processing agreement? German Data Protection Authority: the controller.
Negotiations of data processing agreements are not always concluded quickly in practice and often offer a certain potential for dispute.
According to Art. 28 (1) GDPR, where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Processing by a processor shall be governed by a contract that is binding on the processor (Art. 28 (3) GDPR).
In its recent activity report (German, p. 41), the Data Protection Authority of Bavaria for the Private Sector (BayLDA) informs about enquiries where the controller wanted to know how to deal with the situation when it is not possible to agree on a contract with service providers (data processors) for a processing of personal data.
According to the BayLDA, if a controller and a processor cannot agree on the conclusion or a necessary adjustment of the data processing agreement, the legal basis for the processing shall cease to apply to the processor. This is also the case if both companies are part of the same group.
After that, the supervisory authority also deals with the question of which of the two parties should be responsible for concluding the data processing agreement.
"The responsibility lies with the client, who, as the data controller is obliged to ensure that his processing operations are legally compliant also if he involves a service provider".
It therefore appears that the BayLDA derives an obligation of the controller to conclude the data processing agreement from the GDPR.
The supervisory authority does not stop here, but also comments on the risks for the processor. If the legal basis for the processor does not exist, an administrative fine may be imposed on the processor (but also on the controller (Art. 83 (4) lit. a) in conjunction with Art. 28 GDPR).
According to its own statement, the supervisory authority had previously refrained from this possibility of sanction in the case of old contracts from the time before the GDPR, if both parties had obviously endeavored to conclude a new contract and no obvious disadvantages had occurred for the data subject.
Privacy Professional | DPO | CIPPE, CIPM (trainer)
5 年I fail to see the problem here, but I do see a few misunderstandings though. 1. Controller is responsible for making sure a legally binding DPA is in place before enlisting the services of a processor 2. The DPA is not a legal basis for processing, for the processor. The processor does not have, and can not have, a legal basis for processing (because otherwise it could not be a controller-processor relationship). 3. The processor is however responsible for correcting any unlawful processing of the controller it may find and if so is responsible to notify the controller of this. I think there must be something lost in translation here because nothing in this article makes sense. I doubt the Bavarian DPA would be struggling with understanding this, it is explicitly stated in GDPR, no interpretation needed.
???? Privacy & Tech Lawyer, Managing Partner @ ICTLC Sweden? Mentoring and training privacy professionals @ PrivacyCraft ? Lecturer @ Maastricht Uni? Certified DPO (ECPC-B), CIPP/E, CIPM, FIP ? ex-Volvo Cars, ex-Boeing
5 年I don't understand how can a legal basis not apply to the processor. It is one and the same processing activity, with a single legal basis.
Privacy & Data Protection
5 年Interesting assessment, and an important distinction in terms of processors; whilst the controller should assume responsibility for conclusion, there is clearly value in the processor taking all reasonable steps to conclude the agreement.